Jason R. Coombs <jar...@jaraco.com> added the comment:

> Does `joinpath` have less validation?

Yes. Previously, resources.* would perform some validation on the path to 
ensure that it didn't contain path separators (to avoid users attempting to get 
resources in subdirectories or perhaps manipulating the path in other ways).

So no, they're not equivalent. If `resource_name` or "zones" ever contained 
path separators, the former implementation would raise an error whereas this 
implementation would attempt to join those characters to the path. Since 
"zones" is a static string, it's clearly not affected. And `resource_name` 
can't have posixpath.sep. If `key` had an ntpath.sep, that might behave 
differently, but that seemed like an edge case not worth exploring.

If it is worth exploring, I would recommend not to use normalize_path, but 
instead to implement the validation in zoneinfo._common. That is, wrap key in 
`_validate_key()` that protects against invalid paths. But in practice, it's 
better to do that closer to where the unsanitized data would be encountered (if 
at all).

----------

_______________________________________
Python tracker <rep...@bugs.python.org>
<https://bugs.python.org/issue46124>
_______________________________________
_______________________________________________
Python-bugs-list mailing list
Unsubscribe: 
https://mail.python.org/mailman/options/python-bugs-list/archive%40mail-archive.com

Reply via email to